On 17-Aug-2002 Chris Glover wrote:
Hi,
You know those annoying Nimda scans you keep finding in your apache logs????
Anybody know if it's possable to create a custom error document for apache which, when the first address in a normal nimda scan is requested, the originators IP is automatically added to the IPTables DROP table, so subsquent requests from that IP time out.
As has been mentioned, ErrorDocument does part of what you want. The problem is that in order to run ipchains/iptables you have to be root - Apache does not run as root. You therefore need a suid script to do the job, and suid scripts always make me a bit twitchy.
In my own setup I compromise by sending myself a mail so that I can the update the tables by hand. I also add the IP to a 'hackers' file that is fed to ipchains on every reboot.
The only time I got, slightly, bitten was when a subscriber to a mailing list I run was infected wiht CodeRed. His IP was blocked and it took me quite a while to work out why he could not send any postings .